Professional Documents
Culture Documents
1. INTRODUCTION 3
1.1 Purpose 3
1.2 Background 3
1.3 Agency Objectives 4
1.4 Risk Categories 4
1.5 Risk Appetite Methodology 5
1.6 How to Use This Statement 6
2. OVERALL RISK APPETITE STATEMENT 6
3. PROGRAMMATIC RISK 8
4. FIDUCIARY RISK 10
5. REPUTATIONAL RISK 12
6. LEGAL RISK 14
7. SECURITY RISK 16
8. HUMAN-CAPITAL RISK 19
9. INFORMATION-TECHNOLOGY RISK 21
1. INTRODUCTION
1.1 Purpose
The purpose of this Risk Appetite Statement (hereinafter “Statement”) is to provide U.S. Agency for
International Development (USAID) staff with broad-based guidance on the amount and type of risk the
Agency is willing to accept – based on an evaluation of opportunities and threats at a corporate level,
and in key risk categories – to achieve the Agency’s mission and objectives.
This Statement is a critical component in USAID’s overall effort to achieve effective Enterprise Risk
Management (ERM), and the leadership of the Agency will review and update it annually as the ERM
program matures and our needs evolve.
OMB Circular A-123 states that an Agency’s objectives and the context in which it operates should
inform its risk appetite. On August 7, 2017, USAID Administrator Mark Green articulated the Agency’s
objectives as follows:
We will strive to: (1) end the need for foreign assistance. We must measure our work by how far each
investment moves us closer to the day when our relationship with the host country changes. In many cases,
this day will be far off, but will be a driving force in how we design programs to fit specific needs and
challenges on the ground. To that end, we will focus on (2) strengthening our core capacities and (3)
interagency coordination, while (4) empowering our employees and partners to lead. Finally, we will (5)
respect the taxpayers’ investments by being transparent and accountable stewards of the resources and
expectations given to us from the American people.
On behalf of the American people, we promote and demonstrate democratic values abroad, and
advance a free, peaceful, and prosperous world. In support of America’s foreign policy, the U.S. Agency
for International Development leads the U.S. Government’s international development and disaster
assistance through partnerships and investments that save lives, reduce poverty, strengthen democratic
governance, and help people emerge from humanitarian crises and progress beyond assistance.
Per OMB Circular A-123, “risk” is defined as the “effect of uncertainty on [an Agency’s] objectives.”
This definition is quite different than the everyday use of the word “risk”: it is not necessarily positive or
negative. Rather, it includes factors that could threaten or enhance the likelihood of achieving this set of
objectives. Using this neutral definition of risk that emphasizes the importance of a continual weighing of
cost and benefit, USAID defines the key categories of risk as follows:
● Programmatic Risks are events or circumstances that could potentially improve or undermine
the effectiveness of USAID’s development or humanitarian assistance.
● Fiduciary Risks are events or circumstances that could result in fraud, waste, loss, or the
unauthorized use of U.S. Government funds, property, or other assets. It also refers to conflicts
of interest that could adversely affect the accountability of U.S. taxpayer dollars, or the
realization of development or humanitarian outcomes.
● Reputational Risks are events or circumstances that could potentially improve or compromise
USAID’s standing or credibility with Congress, the interagency, the American public, host-
country governments, multilateral institutions, implementing partners, beneficiaries, or other
stakeholders.
● Security Risks are events or circumstances that potentially improve or compromise the
security of USAID staff, partners, property, information, funding or facilities.
In Sections 2-9, this Statement places each category of risk on a risk-appetite scale that ranges from
“low” to “medium” to “high”:
● Low Risk Appetite – Areas in which the Agency avoids risk, or acts to minimize or eliminate
the likelihood that the risk will occur, because we have determined the potential downside costs
are intolerable. These are areas in which we typically seek to maintain a very strong control
environment.
● Medium Risk Appetite – Areas in which the Agency must constantly strike a balance between
the potential upside benefits and potential downside costs of a given decision.
This Statement recognizes the reality that frontline staff at USAID is frequently called upon to make
difficult decisions under uncertain circumstances that require a weighing of “opportunities” and
“threats.” For example, our staff could see an “opportunity” to strengthen local ownership for long-
term sustainability as a “threat” that this same
investment could come at the expense of short-
term results, or could result in a larger pipeline. THE RISK PROFILE
This Risk Appetite Statement seeks to clarify the
Every USAID operating unit (OU) must prepare
Agency’s position regarding such (often
and submit an annual risk profile through the
competing) calculations through the risk appetite
Agency's ERM governance structure, as outlined
rating scale described in Section 1.5.
in OMB Circular A-123 and USAID
Operational Policy (ADS 596mab,
In addition to providing guidance on how to weigh
"Governance Charter for Enterprise Risk
opportunities and threats, this Statement informs
Management and Internal Control at
how we respond to such risk. Responding to risk
USAID"). These profiles provide a mechanism
can take many forms, including: avoidance of risk
to share information on the major risks that face
by not investing in a particular approach or not
OUs so leadership has visibility of, and can make
signing an agreement with a particular partner;
decisions about, risk across the Agency. In
reduction of risk through a strong system of
addition, these profiles provide a mechanism to
internal controls, targeted mitigation measures, or
ensure that the Agency at all levels makes risk-
training and capacity-building efforts, among other
informed decisions. Risks flagged in these profiles
options; sharing of risk through strategic
could include major risks that require additional
partnerships with key stakeholders; or acceptance
response, or “treatment,” to reduce the threat
of risk without mitigation.
of loss. Profiles could also include strategic risks
that OUs accept because they have determined
Descriptions of risk-management strategies used
that the opportunity exceeds the threat of loss.
across the Agency appear in each of the “We
In all cases, assessment of risk and associated
Will” boxes in Sections 3-9. USAID’s Risk
risk response should be guided by this Risk
Management Discussion Note (in Annex 1)
Appetite Statement.
also lists a range of tools the Agency uses to assist
in managing risk. Additional strategies for
managing risks will depend on a local assessment of the likelihood that an individual risk might occur, and
the impact that such risk could have if it occurs. For example, in countries affected by high levels of
corruption where the likelihood for fraud or diversion of funds is higher than average, we must
implement enhanced controls to further reduce the likelihood of loss. Conversely, in situations in which
an innovative approach is deemed more likely to be successful, or more likely to have a game-changing
impact, we are more likely to weigh the opportunity presented, and accept the risk.
2. OVERALL RISK APPETITE STATEMENT
Programmatic HIGH
Fiduciary LOW
Reputational MEDIUM
Legal LOW
Security LOW
Note: While the Agency’s risk appetite is divided into separate categories, the categories are
interrelated. Additionally, each category contains varying risk appetites for specific areas of focus.
Sections 3-9 provide more nuanced guidance on the Agency’s risk appetite for each category.
Definition: “Programmatic Risk” refers to events or circumstances that could potentially improve or
compromise the effectiveness of USAID’s development or humanitarian assistance.
Overview: If we are going to achieve our long-term objective of ending the need for foreign assistance,
we must take smart and disciplined programmatic risks. We work in contexts that are often changing
rapidly, where – despite our best efforts – evidence to support program design is often incomplete, and
where there is rarely one path to achieving results. A further complication is that many of the locations
in which the Agency delivers foreign assistance are complex and non-permissive environments (NPEs),
in which we are required to navigate higher levels of contextual risk to make effective progress against
programmatic goals. In addition, the disciplines of development and humanitarian assistance continue to
evolve at a rapid pace, and there are huge opportunities that arise from ongoing innovations that can
enable us to achieve breakthrough results. We
recognize all of these opportunities and threats, WE WILL:
and are committed to making programmatic
decisions based on rigorous analysis, while Make decisions based on analysis and
recognizing that it is often neither possible, nor conclusions supported by the best currently-
practical, to achieve the level of information we available evidence.
seek, and that the biggest risks of all are often the Incorporate findings from risk-assessments,
price of inaction or inadequate action. such as the mandatory climate-change and
construction risk-assessments, in the design
We have a MEDIUM risk appetite with regard of programs.
to: Collaborate with a diverse range of partners
to leverage innovative thinking that works in
● Implementing long-term strategic focus
the country context.
in our country programs. We will set
Evaluate the impact of new approaches to
priorities and implement long-term strategic
continually build the Agency’s evidence base.
focus in our country programs based on
Work with and through local partners to
rigorous analysis and collaboration with key
strengthen local capacity and support them
stakeholders to achieve more-effective
in their journeys to self-reliance.
results. We will also continually balance this
Continually monitor, learn, and adapt as the
with our obligation to implement initiatives,
context changes and new evidence emerges.
directives and/or priorities from Congress
Provide rigorous oversight of activities, and
and the interagency not foreseen during the
ensure we always operate in accordance
strategy development process.
with applicable laws and regulations.
We have a HIGH risk appetite with regard to:
● Partnering with the private sector. We will co-design and co-invest with private-sector entities
that promise to leverage or mobilize additional resources or expertise to amplify the impact of our
work, while recognizing that sometimes such partners will fail to mobilize promised capital, or
deliver on commitments.
● Embracing flexible, iterative design and implementation. We will continually learn and
adapt our programming in contexts that are changing rapidly, or in which evidence is incomplete to
improve the likelihood of achieving intended results, while recognizing that such approaches can
sometimes require additional resources, or add another layer of complexity in designing,
implementing, and monitoring programs.
● Innovative modalities for acquisition and assistance. We will employ a broader range of
acquisition and assistance methods, such as those that enable co-creation, to achieve our
programmatic objectives more effectively, including by harnessing innovations, and partnering with
the private sector and local stakeholders.
Definition: “Fiduciary Risk” refers to events or circumstances that could potentially result in fraud,
waste, loss, or unauthorized use of U.S. Government funds, property, or other assets. It also refers to
conflicts of interest that could adversely affect the accountability of U.S. taxpayer dollars, or the
realization of development or humanitarian outcomes.
Overview: We respect our role as a steward of the resources given to us by the American people, and
take a zero-tolerance approach toward fraud, corruption, or violation of law that involve U.S. taxpayer
funds. We also recognize that corruption, low absorptive capacity, and weak management capacity in the
country context can increase the Agency’s fiduciary risk, and that we must identify additional measures
as necessary to mitigate this risk. In addition, we acknowledge that there are times when minimizing
fiduciary risk by avoiding implementation modalities that use partner-country systems could come at the
cost of making progress toward our mission of ending the need for foreign assistance. We are thus
committed to striking a balance, in coordination with Congress, between our obligation to safeguard
U.S. taxpayer funds and our strategic objective to increase local capacity and ultimately transition
partner countries from our assistance.
Definition: “Reputational Risk” refers to events or circumstances that could potentially improve or
compromise USAID’s standing or credibility with Congress, the interagency, the American public, host-
country governments, multilateral institutions, implementing partners, beneficiaries, or other
stakeholders.
Overview: Our reputation among key stakeholders has a profound and direct impact on our capacity
to achieve our mission. It affects everything from the budget and authorities granted to us by Congress
to the degree of influence we wield as we work to facilitate greater ownership of development
processes by local partners, including host-country governments. Reputational risk includes risks that
arise from our actual contributions and value, or decisions not to contribute, as well as risks that stem
from perceptions and misperceptions of our contributions and value. We are therefore committed to
protecting the reputation of the Agency by not only implementing effective ERM in everything we do,
but also by effectively engaging and communicating with our stakeholders toward achieving our mission.
● Traditional press outreach and social media. We will leverage outreach through traditional
press and social media to promote and amplify the goals and results of the Agency. However, we
must balance this outreach with the risks inherent in these activities, such as messages re-posted by
outside groups or taken out of context.
● Empowering our employees to represent the Agency. We will empower our employees
with the necessary skills and ability to represent USAID effectively.
● Promoting a culture of learning. We will incentivize and foster a culture of learning by openly
discussing and disseminating lessons learned to enable continuous improvement and enhance our
credibility. This will mean at times identifying mistakes or errors that could affect our reputation.
Definition: “Legal Risk” refers to events or circumstances that could potentially improve or
compromise compliance with law, regulation, Executive Order, or other legal requirement.
Overview: To be accountable stewards of the resources and expectations given to us from the
American people, we must operate in accordance with all applicable laws, regulations, Executive Orders,
and other legal requirements. We recognize that the need to comply with legal requirements is inherent
in all aspects of our activities, and we are committed to seeking appropriate legal review of our actions
to facilitate this compliance. We are obligated to maintain a strong control system that promotes
compliance with legal requirements, and uses Agency attorneys as both a safeguard against unlawful
actions and a resource for informed decision-making.
● Areas either not covered by the law or reasonably open to interpretation. In consultation
with Agency attorneys, we will at times assume a degree of calculated risk to implement innovative
solutions that could help achieve our strategic objectives.
Definition: “Security Risk” refers to circumstances or events that could potentially improve or
compromise the security of USAID staff, partners, information, funding or facilities.
1
It is important to note that USAID’s staff assigned overseas fall under Chief of Mission (COM) authority, and
therefore risk-management approaches are affected by the Overseas Security Policy Board security standards, the
Regional Security Office, and USAID's participation in Emergency Action Committees chaired by each Chief of
Mission.
● Undertaking mission-critical field visits. We will support staff in undertaking field visits
coordinated and approved in accordance with Post management policies and Regional Security
Officers (RSOs) for the purposes of designing programs, monitoring implementation, or providing
oversight (among other mission-critical purposes). However, we must balance this desire with the
discretion of the RSO, the likelihood of security incidents, and the availability of effective
alternatives, including those that deploy new technology.
● Exploring, testing, or using new security methods or technologies. We will harness the
potential of new methods and technologies to reduce exposure to threats, or increase the
preparedness of employees, while recognizing that sometimes such approaches might not always be
as effective as anticipated.
2
“Closed spaces” refers to country settings that meet the following criteria: 1) the government in the targeted
country is politically repressive; 2) the government has explicitly rejected USAID assistance or has such an adverse
relationship with the United States that we cannot work with the government on development assistance; and 3)
USAID does not have U.S. Direct-Hire staff in the country.
Definition: “Human-Capital Risk” refers to events or circumstances that could potentially improve or
compromise the capacity, productivity, wellbeing, hiring, or retention of our employees.
Overview: Our success in achieving our mission directly depends on the knowledge, skills, abilities,
dedication, and robustness of our workforce. We recognize that our workforce is our most-important
asset for managing risk – through designing and implementing control systems; making iterative, risk-
informed decisions; skillfully solving problems; coping under pressure; and going the extra mile to ensure
our Agency’s success. However, our workforce can also be a cause of risk, because of skill gaps,
turnover and excessive workload, as well as non-compliance with, or the inconsistent application of,
systems, procedures, and risk-mitigation measures. Our Agency delivers on its mission because of the
capabilities and performance of our talented staff, and is committed to effectively managing the needs of
our current and future workforce. Aligning
workforce-planning with the Agency’s
Transformation is essential to ensuring the WE WILL:
success of both. Mitigate stress and resilience issues that
affect personnel in high-operational-stress
We have a LOW risk appetite with regard to: environments through Staff Care and other
● Non-compliance with human-resource services.
laws, regulations, and directives. We will Implement agile, transparent processes to
act to minimize any weaknesses in compliance attract and onboard employees.
with legal requirements (e.g., from the Equal Execute strategic, forward-looking and
Employment Opportunity Commission, the flexible workforce-planning processes.
Office of Personnel and Management, and the Empower managers with the skills and
U.S. Merit Systems Protection Board) that support they need to manage staff
could impair the Agency’s ability to hire, train, effectively.
assess, or reward USAID employees Uphold a transparent, equitable
consistently and fairly, or which could put the performance-management system that
Agency at risk for unfavorable legal outcomes. promotes excellence.
Provide high-quality, integrated, and
● Weaknesses in workforce-planning coordinated training and mentoring to build
systems across all hiring categories. We capacity and support rising leaders.
will mitigate any weaknesses in workforce- Support the professional development of our
planning systems that could undermine the Foreign Service Nationals to better leverage
their expertise and historical knowledge.
● Gaps in skills and capacity. We will work to mitigate any deficiencies in training programs that
could impair the effectiveness of our employees.
● Bullying, abuse and sexual harassment in the workplace. We will continue to enforce a
zero-tolerance approach to abusive and harassing behavior among our staff, whether in Washington
or in the field.
● Adopting innovative best practices. We will continually assess best practices in the industry
and Federal Government for attracting, retaining, and developing talent, including seeking flexibilities
for hiring and compensating staff, while recognizing that trying new approaches brings with it the
potential for initiatives to fall short of objectives.
Definition: “Information-Technology (IT) Risk” refers to events or circumstances that could improve
or compromise the processing, security, stability, capacity, performance, or resilience of information
technology.
Overview: IT is interwoven into all aspects of our operations, and is among the most vital investments
supporting the Agency’s work. The IT landscape continues to evolve at a rapid pace, and technological
advances provide opportunities for USAID to operate more efficiently and effectively. At the same time,
cyber threats continue to grow in aggressiveness and sophistication, as the Agency’s need to share and
use information grows. We recognize the important role that IT plays in supporting our mission, and are
committed to delivering robust, responsive, and flexible IT services and products, while protecting
information and information systems from security threats.